To get the list of vulnerable dependencies along with transitive dependencies SBOM is required to be generated first.
Then on top of SBOM Grype can be executed to find all vulnerabilities.
1. Install Grype Vulnerability Scanner
Download Grype for your OS from below link:
https://github.com/anchore/grype/releases
2. Generate SBOM (Software Bill of Materials) json/xml file. This contains transitive dependency.
Generate SBOM (Software Bill of Materials) using command line
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom
OR Generate SBOM in build time you can add below in pom.xml
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.8.2</version>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.5</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>false</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>false</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputReactorProjects>true</outputReactorProjects>
<outputFormat>json</outputFormat>
<outputName>${project.artifactId}.cdx.sbom</outputName>
<outputDirectory>${project.build.directory}</outputDirectory>
<verbose>false</verbose>
</configuration>
</plugin>
3. Then goto folder where Grype is extracted & run below command (windows version)
.\grype.exe <app_folder>\target\bom.json
bom.json is generated by using maven command.
This will give you all vulnerabilities in your app with version in which the CVE is fixed
Links:
https://www.chainguard.dev/unchained/why-chainguard-uses-grype-as-its-first-line-of-defense-for-cves
No comments:
Post a Comment